[OpenAFS-devel] AFS and SSH once again

[Jeffrey Hutzelman]

--On Friday, November 16, 2007 08:10:30 PM +0000 Simon Wilkinson 
<sxw@inf.ed.ac.uk> wrote:

> I talked about this at the last AFS BPW. Basically, OpenSSH normally
> performs the PAM auth step from a process that doesn't own the eventual
> shell (in fact, the process is spawned specifically to perform the
> authentication, and then is killed as soon as authentication is
> complete). There's some diagrams of this at
> http://workshop.openafs.org/afsbpw07/talks/simon2.pdf
>
> I suspect that you may be able to get this to work with some versions of
> OpenSSH by disabling the ChallengeResponse option - although this limits
> the types of PAM interaction that you can perform.

I believe mainstream OpenSSH uses PAM only for keyboard-interactive and 
never for password.  Patches are available which make it use PAM in both 
cases.  I believe Debian ships with such a patch, but I don't know about 
other distributions.

You can work around this behavior by building OpenSSH with 
-DUNSUPPORTED_POSIX_THREADS_HACK, which causes it to run pam_authenticate 
in a thread instead of a completely separate process.  As the name 
suggests, this is not something they support, but we've found it to work 
quite well.

-- Jeff